Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1083 - ar71xx Kernel 4.9 PPTP Passthrough not working #6794

Closed
openwrt-bot opened this issue Oct 19, 2017 · 7 comments
Closed

FS#1083 - ar71xx Kernel 4.9 PPTP Passthrough not working #6794

openwrt-bot opened this issue Oct 19, 2017 · 7 comments
Labels

Comments

@openwrt-bot
Copy link

nouman8:

today i compiled for my TP-Link mr3420 v2 with Kerenl 4.9 by simply changing the KERNEL_PATCHVER:=4.4 to KERNEL_PATCHVER:=4.9 in target/linux/ar71xx/Makefile , everything works good so far except i am not able to connect to the VPN which was working good previously with 4.4 kernel compiled lede a week back.

@openwrt-bot
Copy link
Author

chandlerding:

Install kmod-nf-nathelper-extra and try again?

@openwrt-bot
Copy link
Author

nouman8:

kmod-nf-nathelper-extra is installed

@openwrt-bot
Copy link
Author

nouman8:

if anyone else could test this behavior on their ar71xx device with 4.9 kernel ??

@openwrt-bot
Copy link
Author

maabo:

yes, me.
Way to reproduce:

  1. flash the Reboot development snapshot image [[https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/lede-ar71xx-generic-tl-mr3420-v2-squashfs-sysupgrade.bin|External Linklede-ar71xx-generic-tl-mr3420-v2-squashfs-sysupgrade.bin]]
  2. opkg install kmod-nf-nathelper-extra
  3. try the PPTP connection from LAN to external host without succes

I have tried to compile the image from trunk sources, then tried the image generator, but it is always the same:

the module nf_nat_pptp is loaded, but not working with 4.9.65 kernel

I found that in kernel logs this message appeared:
//"nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead."//
Im not sure, if it is relevant to this issue - maybe not.

I attached some more detailed infos to this post. If You need some other traces to investigate, dont hasitate to contact me.
thanks

Martin

@openwrt-bot
Copy link
Author

maabo:

And I confirm, that after building image from trunk source with KERNEL_PATCHVER:=4.4 the problem disappeared.
pptp works fine with older kernel
All other options in .config remains same as it was before with 4.9 kernel.

@openwrt-bot
Copy link
Author

arjendekorte:

This is not surprising. The default for automatic loading of connection tracking helpers was changed in kernel-4.7. So with kernel-4.4, the pptp helper will be loaded automatically when PPTP traffic is seen, but for kernel-4.9 you'll have to do that explicitly.

Adding something along the lines

iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

should load the connection tracker helper in your firewall. You could append this line to your /etc/firewall.user for instance to load it automatically.

@openwrt-bot
Copy link
Author

maabo:

Hello and thank You for clearing it out!
After days of trying it to work, finally got an answer.

I decided to keep the older kernel and wait some additional time before updating to 4.9, until all these issues with conntrack helpers will be tested, better documented and user-friendly handled.

I understand, that the automatic loading could be a security issue.
BUT not 100% of the users are iptables config aware, so IMHO is this not the right way to getting it work.
Before it was enough to install the //kmod-nf-nathelper-extra// and all kinds of traffic passed through like charm.
But now Im not sure, if I can yet determine all of the helpers, wich will be needed in future, in order to add them manually to the .config . It is probably not secure to enable all of them yet (?); and after 1-2 years I will not rememeber how to do it, or even determine that I need to do it.

//P.S.: IMHO solution to achieve better security but keep the user friendly management could be splitting the nathelpers-extra into more specific nathelper-pptp , nathelper-sip, etc and add the iptables record automatically within installation without forcing users to do it manually. OR make Luci capable to handle the conntrack config.//

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant